diff --git a/adbd.te b/adbd.te
index 4f332b3579245dd233431f80c3d375426de493e1..84d1c2bf5068d31f45a2b8145acdc8959c7ec5be 100644
--- a/adbd.te
+++ b/adbd.te
@@ -1,7 +1,6 @@
 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type adbd, domain;
-permissive adbd;
 unconfined_domain(adbd)
 domain_auto_trans(adbd, shell_exec, shell)
 # this is an entrypoint
diff --git a/bluetooth.te b/bluetooth.te
index 3b733047596c1b84bf37bf3701b549e43b0ac188..72263e3c5ebf8640da78eff9be8790c164db63f3 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,5 +1,4 @@
 # bluetooth subsystem
 type bluetooth, domain;
-permissive bluetooth;
 app_domain(bluetooth)
 unconfined_domain(bluetooth)
diff --git a/clatd.te b/clatd.te
index ebbb79ca8f3bbc77c5674631b29abae1f367c6c0..dc62fb09984f7957be335d4652deb8348234b620 100644
--- a/clatd.te
+++ b/clatd.te
@@ -1,6 +1,5 @@
 # 464xlat daemon
 type clatd, domain;
-permissive clatd;
 type clatd_exec, exec_type, file_type;
 
 init_daemon_domain(clatd)
diff --git a/debuggerd.te b/debuggerd.te
index 690e695484afe080ecef15566ad96c4216fb3efa..cdf00de28504c340a26181c397f22fb4c59c1540 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -1,6 +1,5 @@
 # debugger interface
 type debuggerd, domain;
-permissive debuggerd;
 type debuggerd_exec, exec_type, file_type;
 
 init_daemon_domain(debuggerd)
diff --git a/dhcp.te b/dhcp.te
index 4fe24e70aede59dd61494a4b6664379193a71064..500456574a21a663fcd283bb67e40603aba047ce 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -1,5 +1,4 @@
 type dhcp, domain;
-permissive dhcp;
 type dhcp_exec, exec_type, file_type;
 type dhcp_data_file, file_type, data_file_type;
 type dhcp_system_file, file_type, data_file_type;
diff --git a/dnsmasq.te b/dnsmasq.te
index ff81367984383dfefcd59831ba6a33560406a3b6..a5c647a7ed1ed3381918505fcf8519c2022b5332 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -1,5 +1,4 @@
 type dnsmasq, domain;
-permissive dnsmasq;
 type dnsmasq_exec, exec_type, file_type;
 
 init_daemon_domain(dnsmasq)
diff --git a/drmserver.te b/drmserver.te
index c9fc5f666221b5b1450b06ddfcc69fb6d053ae62..8727bc175d5a70e00e8d4f2724fe50fcc9f1138b 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,6 +1,5 @@
 # drmserver - DRM service
 type drmserver, domain;
-permissive drmserver;
 type drmserver_exec, exec_type, file_type;
 
 init_daemon_domain(drmserver)
diff --git a/gpsd.te b/gpsd.te
index 6d6fbd75ac0fbb1ad214ea3d58200aad690fddb5..403a6b75dd7d7c44a08ae1d5d19aaf4dde5ffe70 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -1,6 +1,5 @@
 # gpsd - GPS daemon
 type gpsd, domain;
-permissive gpsd;
 type gpsd_exec, exec_type, file_type;
 
 init_daemon_domain(gpsd)
diff --git a/hci_attach.te b/hci_attach.te
index 15b73ffee7f19eec82f506b992e1f8d429c6b27f..40e3150852a803945a9e8fa3dbb1eeb5bd66975c 100644
--- a/hci_attach.te
+++ b/hci_attach.te
@@ -1,5 +1,4 @@
 type hci_attach, domain;
-permissive hci_attach;
 type hci_attach_exec, exec_type, file_type;
 
 init_daemon_domain(hci_attach)
diff --git a/healthd.te b/healthd.te
index 52c466e4835b0caa7e7906e7a364c1352641ce97..2241f23cb97eb6e3f951bbb199a8667473edc25e 100644
--- a/healthd.te
+++ b/healthd.te
@@ -1,7 +1,6 @@
 # healthd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type healthd, domain;
-permissive healthd;
 type healthd_exec, exec_type, file_type;
 
 init_daemon_domain(healthd)
diff --git a/hostapd.te b/hostapd.te
index f13b2e0226bad9515da8acf3dfd6d0f51d9071ca..79db3c37ba6caf762ba2b8c8d2c6f956f3371c0d 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -1,5 +1,4 @@
 type hostapd, domain;
-permissive hostapd;
 type hostapd_exec, exec_type, file_type;
 
 init_daemon_domain(hostapd)
diff --git a/init_shell.te b/init_shell.te
index 900826efedd2b3d60807f6216d0f2a4079099203..696a6dcac3c08e92cd6abe92415a10e3b07858f1 100644
--- a/init_shell.te
+++ b/init_shell.te
@@ -1,5 +1,4 @@
 # Restricted domain for shell processes spawned by init
 type init_shell, domain;
-permissive init_shell;
 domain_auto_trans(init, shell_exec, init_shell)
 unconfined_domain(init_shell)
diff --git a/keystore.te b/keystore.te
index d438cfa41507137ec876a077e301a750b3b5b421..a7f4b4d6462dbdd303a22dc5dcb7f5b2d9cac6c9 100644
--- a/keystore.te
+++ b/keystore.te
@@ -1,5 +1,4 @@
 type keystore, domain;
-permissive keystore;
 type keystore_exec, exec_type, file_type;
 
 # keystore daemon
diff --git a/media_app.te b/media_app.te
index f0f987fac796698f54dfddd3e71b181443b08453..1fe06ddc0e6eb7434f573ba6276eebf1d12701eb 100644
--- a/media_app.te
+++ b/media_app.te
@@ -3,7 +3,6 @@
 ###
 
 type media_app, domain;
-permissive media_app;
 app_domain(media_app)
 platform_app_domain(media_app)
 # Access the network.
diff --git a/mediaserver.te b/mediaserver.te
index a8e78d21ea6334c875dcebd385dcfa0d31734174..1b94d86d6b17a6ef7b32178c26bdeba5df3fc92e 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,6 +1,5 @@
 # mediaserver - multimedia daemon
 type mediaserver, domain;
-permissive mediaserver;
 type mediaserver_exec, exec_type, file_type;
 
 net_domain(mediaserver)
diff --git a/mtp.te b/mtp.te
index eb893268ebbe382c5414d8e86898cd9fc90a61d8..48a552579d6de88aecb3e6466e3c6fd467e5c1f9 100644
--- a/mtp.te
+++ b/mtp.te
@@ -1,6 +1,5 @@
 # vpn tunneling protocol manager
 type mtp, domain;
-permissive mtp;
 type mtp_exec, exec_type, file_type;
 
 init_daemon_domain(mtp)
diff --git a/nfc.te b/nfc.te
index f5432f186a510f9f2f067c8838967a22376a6e01..31b9144335108fe251611d244f66882e37c85eff 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,5 +1,4 @@
 # nfc subsystem
 type nfc, domain;
-permissive nfc;
 app_domain(nfc)
 unconfined_domain(nfc)
diff --git a/ping.te b/ping.te
index 19f3a4741baeabdeefa03e2ec598d5f47d640224..37b9b3c36240bd0d44d6b3e1c004c90aab227734 100644
--- a/ping.te
+++ b/ping.te
@@ -1,5 +1,4 @@
 type ping, domain;
-permissive ping;
 type ping_exec, exec_type, file_type;
 domain_auto_trans(shell, ping_exec, ping)
 unconfined_domain(ping)
diff --git a/platform_app.te b/platform_app.te
index 38d8fcd62936c71ef1f8ed728f8a32ef00cf6eea..042d495408f1d1f91724b3b36a709c5874f1a261 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -3,7 +3,6 @@
 ###
 
 type platform_app, domain;
-permissive platform_app;
 app_domain(platform_app)
 platform_app_domain(platform_app)
 # Access the network.
diff --git a/ppp.te b/ppp.te
index 3387cde2fd94a871dc2327342c669775849e2a41..bc1bafcb891eff67f540bf7d9263564da08c655f 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,6 +1,5 @@
 # Point to Point Protocol daemon
 type ppp, domain;
-permissive ppp;
 type ppp_device, dev_type;
 type ppp_exec, exec_type, file_type;
 type ppp_system_file, file_type;
diff --git a/qemud.te b/qemud.te
index 1266e1fd9c1cf01aeb021e5ccdcdeea56727d28e..caf7a09f123dbb159b02d0cad92dfb6405607055 100644
--- a/qemud.te
+++ b/qemud.te
@@ -1,6 +1,5 @@
 # qemu support daemon
 type qemud, domain;
-permissive qemud;
 type qemud_exec, exec_type, file_type;
 
 init_daemon_domain(qemud)
diff --git a/racoon.te b/racoon.te
index 2d3afb81eed10522d46fba8baf31daa3055c97d9..12955f210263563f427b38c1527b3b854a6adaf0 100644
--- a/racoon.te
+++ b/racoon.te
@@ -1,6 +1,5 @@
 # IKE key management daemon
 type racoon, domain;
-permissive racoon;
 type racoon_exec, exec_type, file_type;
 
 unconfined_domain(racoon)
diff --git a/radio.te b/radio.te
index 6d569b07c94d2bf62b63f49918fbdc9be79dd66a..feea2cc6dff36782c9ed511fa596b3737ed912a0 100644
--- a/radio.te
+++ b/radio.te
@@ -1,6 +1,5 @@
 # phone subsystem
 type radio, domain;
-permissive radio;
 app_domain(radio)
 net_domain(radio)
 bluetooth_domain(radio)
diff --git a/release_app.te b/release_app.te
index 285f48300a99d1e6a244b3005f9193c3a1a8c7c2..e7e4b3537643ab1eb82eb44728ecc2fc2179b3ae 100644
--- a/release_app.te
+++ b/release_app.te
@@ -3,7 +3,6 @@
 ###
 
 type release_app, domain;
-permissive release_app;
 app_domain(release_app)
 platform_app_domain(release_app)
 # Access the network.
diff --git a/rild.te b/rild.te
index a93b3aca7fc3cfcebcf79521337d149b4a0609fe..9aba8a288b63018bae64d663f2a6f87ad3dcad1f 100644
--- a/rild.te
+++ b/rild.te
@@ -1,6 +1,5 @@
 # rild - radio interface layer daemon
 type rild, domain;
-permissive rild;
 type rild_exec, exec_type, file_type;
 
 init_daemon_domain(rild)
diff --git a/runas.te b/runas.te
index ec5e1c4b6aa34d6d935acbd46651cab83de93cf6..6446a9e4b9fda0543ee5ccbe3474b724e4201ff2 100644
--- a/runas.te
+++ b/runas.te
@@ -1,6 +1,5 @@
 type runas, domain;
 type runas_exec, exec_type, file_type;
-permissive runas;
 unconfined_domain(runas)
 
 # ndk-gdb invokes adb shell run-as.
diff --git a/sdcardd.te b/sdcardd.te
index 32e686cd177d75cf23593eed084c1454634e8fa2..25d12463a2fadbdb6638d8e67c039fb6eba86d4f 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,5 +1,4 @@
 type sdcardd, domain;
-permissive sdcardd;
 type sdcardd_exec, exec_type, file_type;
 
 init_daemon_domain(sdcardd)
diff --git a/servicemanager.te b/servicemanager.te
index 80ed9dfebd71d1876b6db0727cb2a4848e259a9a..10b6aad62713d2ae16c2abdf59881f611a808b2a 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -1,6 +1,5 @@
 # servicemanager - the Binder context manager
 type servicemanager, domain;
-permissive servicemanager;
 type servicemanager_exec, exec_type, file_type;
 
 init_daemon_domain(servicemanager)
diff --git a/shared_app.te b/shared_app.te
index b66fbfbe615a21db5be06fcba88f8a368fa070ce..8475e0c9aebc845204224024d10379017d9fdf79 100644
--- a/shared_app.te
+++ b/shared_app.te
@@ -3,7 +3,6 @@
 ###
 
 type shared_app, domain;
-permissive shared_app;
 app_domain(shared_app)
 platform_app_domain(shared_app)
 # Access the network.
diff --git a/su.te b/su.te
index c1f002f86b54b47470430d2464ecb7fec87d458d..b68536c3aa1998e82ceb22901ba1e87ea720cfd0 100644
--- a/su.te
+++ b/su.te
@@ -1,5 +1,4 @@
 type su, domain;
-permissive su;
 type su_exec, exec_type, file_type;
 domain_auto_trans(shell, su_exec, su)
 
diff --git a/surfaceflinger.te b/surfaceflinger.te
index ba66b83b1fadfb6dc21867f1bf077629375bf4c6..aa63e6bffb16df9328b4d41af49690d27962bd82 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -1,6 +1,5 @@
 # surfaceflinger - display compositor service
 type surfaceflinger, domain;
-permissive surfaceflinger;
 type surfaceflinger_exec, exec_type, file_type;
 
 init_daemon_domain(surfaceflinger)
diff --git a/system_app.te b/system_app.te
index 61a18dbc76d81f0965dcf475bf114271172c0d8f..d274ac107944a6598f0ac69c54ef4840c66bc216 100644
--- a/system_app.te
+++ b/system_app.te
@@ -4,6 +4,5 @@
 # server.
 #
 type system_app, domain;
-permissive system_app;
 app_domain(system_app)
 unconfined_domain(system_app)
diff --git a/system_server.te b/system_server.te
index fd2d13076ed083c63be84eca4789ad810512c2b0..2e86b6a035b2b7544fe72fff81f018b7ac5c3ced 100644
--- a/system_server.te
+++ b/system_server.te
@@ -3,7 +3,6 @@
 # Most of the framework services run in this process.
 #
 type system_server, domain;
-permissive system_server;
 unconfined_domain(system_server);
 relabelto_domain(system_server);
 
diff --git a/tee.te b/tee.te
index 2fab2820cf65103b27a9c972361d34cb8fe12e6e..1aae06ea0373b04cdcb4717145a379d2edda4702 100644
--- a/tee.te
+++ b/tee.te
@@ -6,6 +6,5 @@ type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
 type tee_data_file, file_type, data_file_type;
 
-permissive tee;
 unconfined_domain(tee)
 init_daemon_domain(tee)
diff --git a/watchdogd.te b/watchdogd.te
index 3bf9aae1db009b02099080118c497eb633aaba52..9af871cdd800c3a00989a10362a9e9a9c05ef025 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,5 +1,4 @@
 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
-permissive watchdogd;
 unconfined_domain(watchdogd)
 allow watchdogd rootfs:file entrypoint;
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index c924214393d109957f49ef377a7c179b6b8bd8f5..5ef357311699abb07a8d69e7ff49dd428a236bd0 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -1,6 +1,5 @@
 # wpa - wpa supplicant or equivalent
 type wpa, domain;
-permissive wpa;
 type wpa_exec, exec_type, file_type;
 
 init_daemon_domain(wpa)